Provisions on Public Security Organs' Internet Security Oversight and Inspections

ALL TRANSLATIONS ON THIS SITE ARE UNOFFICIAL AND ARE PROVIDED FOR REFERENCE PURPOSES ONLY. THESE TRANSLATIONS ARE CREATED AND CONTINUOUSLY UPDATED BY USERS --THEY ARE FREE TO VIEW, BUT PROPER ATTRIBUTION IS REQUIRED FOR DISTRIBUTION OF THESE OR DERIVATIVE TRANSLATIONS.

Provisions on Public Security Organs' Internet Security Oversight and Inspections

Chapter I: General Provisions

Article 1: These Provisions are formulated on the basis of the "People's Republic of China Police Law", the "People's Republic of China Cybersecurity Law" and other relevant laws and administrative regulations, so as to strengthen and regulate efforts to oversee and inspect Internet security, to prevent online violations and crimes, to preserve network security, to and to protect the lawful rights and interests and citizens, legal persons, and other organizations.

Article 2: These Provisions apply to public security organs' lawful conduct of security oversight and inspections of Internet service providers' and network-using units' performance of network security obligations as provided for in laws, administrative regulations.

Article 3: Internet security oversight and inspection efforts are to be organized and carried out by the network security protection departments of public security organs for people's governments at the county level or above.

Article 4: Public security organs carrying out Internet security oversight and inspections shall comply with the directives on lawful and scientific management, and ensuring and promoting development; shall strictly obey the legally prescribed scope of authority and procedures, and continuously improve law enforcement methods, and comprehensively implement law enforcement responsibility.

Article 5: Public security organs and their staffs shall strictly maintain the confidentiality of personal information, private matters, commercial secrets, and state secrets that they learn of in the course of performing their Internet security oversight and inspection duties, and must not leak, sell, or illegally provide it to others.

Information obtained by public security organs or their staffs while performing Internet security oversight and inspection duties can only be used as necessary for the protection of network security, and must not be used in other ways.

Article 6: Public security organs shall promptly report any network security risks that they discover during Internet oversight and inspection efforts, which might endanger national security, public safety, or social order, to the relevant regulatory departments and units.

Chapter II: The Targets and Content of Oversight and Inspections

Article 8: Internet security oversight and inspections are to be implemented by the public security organs for the sites f Internet service providers business operation bodies and network-using units' network management bodies. Where internet service providers are individuals, the public security organs for their habitual residence may implement.

Article 9: As required by the specific situations of protecting network security and hidden threats to network security, public security organs shall carry out oversight and inspections of the following Internet service providers and network-using units:

Key oversight and inspections shall be carried out of those carrying out the services described in the preceding paragraph for less than one year, that have had network security incidents or violations or crimes occur within the last two years, or those that have been given administrative punishments by the public security organs for failure to perform legally prescribed network security obligations.

Article 10: Public security organs shall conduct supervision and inspections of the following conduct in accordance with relevant national provisions and standards, and on the basis of the actual status of Internet service providers and network-using units' performance of their legally-prescribed network security obligations:

(1) Whether they handled networked-unit filing procedures, and reported basic information and its altered circumstances of access units and users;

(3) Whether they lawfully adopted technical measures to record and retain user registration information and logs of their going online;

(4) Whether they adopted technological measures such as to prevent computer viruses, network attacks, network intrusions and so forth;

(5) Whether they have lawfully adopted relevant prevention measures in public information services against information which laws and administrative regulations prohibit the publication or transmission of;

(6) Whether they have followed the legal requirements to provide technical support and assistance to public security organs' lawful activities preserving national security, preventing terrorist activities, and investigating crimes;

(7) Whether they performed hierarchical network security protections and other such obligations as provided for by laws and administrative regulations.

Article 11: In addition to the content listed in article 10, public security organs shall also conduct oversight and inspections of the following content based on the type of internet services provided:

(1) Oversee and inspect whether those providing Internet access services have recorded and retained network addresses and their distribution and usage;

(2) Oversee and inspect whether those providing Internet data center services have recorded information on users of hosting, dedicated hosting, and virtual space they provided;

(3) Oversee and inspect whether those providing domain name services have recorded information on applications and modification of domain names, and whether they have employed measures to lawfully address illegal domain names;

(4) Oversee and inspect whether those providing internet information services have lawfully employed measures for the management of information published by users, and whether they have adopted measures to address information which laws and administrative regulations prohibit the transmission of that has already been released, and to retain the records;

(5) Oversee and inspect whether those providing content delivery services have recorded the connectivity between content delivery networks and content source network links;

(6) Whether those providing public online services have taken network and information security protection measures that comply with national standards.

Article 12: During periods for major national network security defense tasks, public security organs may carry out special security oversight and inspections of related Internet service providers and network-using units, on the following content:

(1) Whether a work plan was drafted as required for the major network security defense task, specifying the division of labor for network security responsibility, and determining the network security management personnel;

(5) Whether requirements were followed to report on network security preventative measures and their implementation to the public security organs.

The content of the preceding paragraph is to implemented for Internet security oversight and inspections of key targets for prevention of terrorist attacks.

Chapter III: Supervision and Inspection Procedures

Article 13: Public security organs carrying out Internet security oversight and inspections may conduct them by employing on-scene oversight and inspection methods or remote testing.

Article 14: When public security organs carry out on-scene internet security oversight and inspections, there must not be less than two people's police, and they shall present their police identification and an oversight and inspection notice issued by the public security organs for a people's governments at the county level or above.

Article 15: Public security organs carrying out on-scene Internet security oversight and inspections may employ the following measures as necessary:

(1) Entering business premises, computer rooms, or workspaces;

(2) Requesting that the responsible parties for the targets of oversight and inspections or the network security administrators make explanations of matters for oversight and inspection;

(3) Reading and reproducting information related to matters in the Internet security oversight and inspections.

Article 16: The public security organs may carry out remote testing of whether Internet service providers and network-using units have network security leaks.

Public security organs carrying out remote testing shall first inform the target of the oversight inspection of the inspection's time, scope, and other such matters, or publicly announce the matters for inspection, and they must not interfere with or undermine the normal operations of the target of the oversight and inspections.

Article 17: Public security organs carrying out on-scene oversight and inspections or remote testing may retain network security service establishments that have relevant technical abilities to provide technical support.

Network security service establishments and their staffs shall strictly maintain the confidentiality of personal information, private matters, commercial secrets, and state secrets that they learn of in the course of performing their Internet security oversight and inspection duties, and must not leak, sell, or illegally provide it to others.Public security organs shall strictly supervise the network security service establishments' implementation of network security management and confidentiality responsibilities.

Article 18: Public security organs carrying out on-scene oversight and inspections shall produce oversight and inspection records and have them signed by the people's police that carried out the oversight and inspections and by the responsible party or network security administrators for the target of the oversight and inspections.Where the responsible party or network security administrators for the target of the oversight and inspections have objections to the records, they shall be permitted to make explanations; and where they refuse to sign, the people's police shall note this in the oversight and inspection notes.

Public security organs carrying out remote testing shall produce oversight and inspection records and have them signed by two or more of the people's police that carried out the oversight and inspections sign the record.

Where network security service establishments provide technical support, the technical support staff shall sign the oversight and inspection records as well.

Article 19: Where in the course of Internet security oversight and inspections, public security organs discover that Internet service providers or network-using units have hidden risks to network security, they shall push and guide them in employing measures to eliminate the hidden risks and note this in the oversight and inspection records; where illegal conduct is discovered, but the circumstances are minor or have not yet caused any consequences, they shall order that corrections be made within a set period.

Where the targets of oversight and inspections feel that they have completed corrections before the completion of the set time period, they may submit a written application for re-examination to the public security organs.

Public security organs shall conduct a re-examination of the corrections within 3 working days of the period set for corrections being completed or of receiving the target of oversight and inspection's application for early re-examination, and give feedback on the re-examination outcome within 3 working days of completing the re-examination.

Article 20: Materials collected during the oversight and inspection process, all kinds of documents produces, and other such materials, shall be filed and archived in accordance with provisions.

Chapter IV: Legal Responsibility

Article 21: Where during Internet security oversight and inspections, public security organs discover that internet service providers and network-using units have the following conduct, they are to give administrative punishments in accordance with law:

(1) Failures to establish and implement network security management systems and operating procedures, and failing to designate the persons responsible for network security, are to be punished in accordance with the provisions of Article 59, paragraph 1, of the "People's Republic of China Cybersecurity Law";

(2) Failures to employ technological measures to prevent computer viruses, network attacks, network intrusions, and other conduct endangering network security, are to be punished in accordance with the provisions of Article 59, paragraph 1, of the "People's Republic of China Cybersecurity Law";

(3) Failures to employ measures record and retain user registration information and online log information, are to be punished in accordance with the provisions of Article 59, paragraph 1, of the "People's Republic of China Cybersecurity Law";

(4) In the provision of services such as Internet information publication or instant messaging, failure to request that users provide their real identity information, or providing services to those users that do not provide real identity information, is to be punished in accordance with the provisions of Article 61, of the "People's Republic of China Cybersecurity Law";

(5) Failures to employ measures to address and store records of information that laws or administrative regulations prohibit the publication or transmission of, such as stopping transmission or deletion, in accordance with law or the requests of public security organs, is to be punished in accordance with Article 68 and Article 69, paragraph 1 of the "People's Republic of China Cybersecurity Law";

(6) Refusal to provide technical support and assistance to public security organs lawfully protecting national security and investigating crimes, is to be punished in accordance with law with article 69, paragraph 3, of the "People's Republic of China Cybersecurity Law".

Where the conduct in items (4)-(6) in the preceding paragraph violates the "Anti-Terrorism Law of the People's Republic of China", it is to be punished in accordance with article 84 or 86 paragraph 1 of the "Anti-Terrorism Law of the People's Republic of China"

Article 22: Where, in the course of Internet security oversight and inspections, public security organs discover that Internet service providers or network-using units have stolen, or otherwise illegally acquired, personal information, or illegally sold or provided it to others, but it has not yet constituted a crime, they are to give punishments in accordance with article 64, paragraph 2, of the "People's Republic of China Cybersecurity Law".

Article 23: Where in the course of Internet security oversight and inspections, public security organs discover that Internet service providers or network-using units have set up malicious programs during the provision of Internet services, they shall give punishments in accordance with article 60(1), of the "Cybersecurity Law".

Article 24: Where Internet service providers and network-using units refuse of obstruct the implementation of Internet security oversight and inspections, punishment is to be given in accordance with the "People's Republic of China Cybersecurity Law" Article 69(2); where they refuse to cooperate with counter-terrorism efforts, punishment is to be given in accordance with articles 91 or 92 of the "People's Republic of China Counter-terrorism Law."

Article 25: Where network security service establishments that are retained by public security organs to provide technical support, and their staffs, engage in illegal intrusions into the targets of supervision and inspections' networks, disrupt the normal function of the targets' networks, steal network data, or have other activities endangering network security, punishment is to be given in accordance with article 62 of the "People's Republic of China Cybersecurity Law; where they steal or otherwise illegally obtain, illegally sell, or illegally provide others with personal information learned of in this work, punishment is to be given in accordance with article 64, paragraph 2 of the "People's Republic of China Cybersecurity Law", and where a crime is constituted, criminal responsibility is pursued in accordance with law.

Where establishments and persons provided for in the preceding paragraph infringe the commercial secrets of oversight and inspection, and a crime is constituted, criminal responsibility is to be pursued in accordance with law.

Article 26: Where public security organs and their staffs have derelicted their duties, abused their authority, or twisted the law for personal gain in oversight and inspection efforts, sanctions are to be given to the responsible managers and other directly responsible personnel in accordance with law; and where a crime is constituted, criminal responsibility is pursued in accordance with law.

Article 27: Where internet service providers and network-using units violate these Provisions, conduct that constitutes a violation of public security management shall receive public security punishments according to the law; and where a crime is constituted, criminal responsibility shall be prosecuted according to the law.

Chapter V: Supplementary Provisions

Article 28: Oversight and inspections of Internet online service business premises are to be implemented in accordance with the relevant provisions of the "Regulations on the Management of the Internet Online Service Business Premises".

Article 29: These Provisions are to be implemented from November 1, 2018.